Guess Who's Back: Shai-Hulud 3.0 The Golden Path

Security analysts recently identified a new variant of the Shai-Hulud npm supply chain worm in the public registry, signaling continued evolution of this threat family. This variant, dubbed “The Golden Path” exhibits modifications from prior waves of the malware, suggesting ongoing evolution in the threat actor’s tradecraft.

This shift reflects an emphasis on execution stability and cross-platform behavior rather than immediate scale. The new variant retains its execution and credential-harvesting behavior but introduces technical adjustments that improve concealment and cross-platform compatibility, particularly in Windows environments and when executed using the Bun runtime.

Affected Packages

Currently, only one package has been confirmed as containing this new malicious strain. Continued community monitoring is encouraged to detect expansion.

What’s New in the Golden Path Variant

According to the analysis, this new strain includes several technical deviations from prior Shai-Hulud variants:

• Updated Package Structure: Execution is now driven by a renamed loader, bun_installer.js while the payload logic resides in environment_source.js. These changes differ from file naming conventions observed in earlier waves. 
• Modified GitHub Exfiltration Behavior: Repositories created by this variant now use a new description marker: “Goldox-T3chs: Only Happy Girl” an evolution from the earlier “Shai-Hulud: The Second Coming.” This change suggests a deliberate shift in how exfiltrated data is clustered and tracked by the actor. 
• New Exfiltration Filename Patterns: Stolen data is written to newly obfuscated JSON filenames that differ from prior variants.  
  
  • 3nvir0nm3nt.json
  • cl0vd.json
  • c9nt3nts.json
  • pigS3cr3ts.json
  • actionsSecrets.json
• Implementation Flaw: Analysts identified an inconsistency where the malware attempts to retrieve one filename c0nt3nts.json but writes data to another c9nt3nts.json, presenting a novel hunting signature. 
• Resilience Enhancements: The variant includes better error handling for TruffleHog time out and support for Windows environments when executing through the Bun runtime.
• Execution Markers in CI Environments: Analysis also identified the presence of the string SHA1HULUD within GitHub Actions runner execution context. This marker appears to be used by the payload to tag or identify its runtime environment during execution.
• Absence of Destructive Safeguards: Unlike some prior waves, this variant does not appear to include a destructive dead-man switch, suggesting the actor’s intent is data collection and persistence rather than disruption. 

Context: Shai-Hulud’s Broader Campaign

While this Golden Path variant appears currently isolated, it sits squarely within a series of widespread npm malware incidents that have impacted thousands of packages and tens of thousands of GitHub repositories. In earlier versions, this resulted in the compromise of packages from major vendors such as Zapier, Postman, ENS Domains and PostHog. This compromise facilitated the large-scale exfiltration of developer secrets.

Multiple sources have documented Shai-Hulud’s evolution:

• A preceding campaign delivered trojanized npm packages that harvested credentials and created GitHub repositories with stolen tokens publicly exposed. 
• Researchers observed tens of thousands of GitHub repos and hundreds of npm packages affected globally, with significant risk of lateral infection via stolen tokens.
• Vendor advisories have emphasized the severity and ongoing nature of these supply chain compromises. 

Mitigation Recommendations

Security teams should treat this variant as part of the continuing Shai-Hulud ecosystem of threats:

• Monitor Install-Time Execution: Enforce package integrity checks before installing dependencies, and review/restrict the use of npm lifecycle scripts within CI/CD pipelines.‍
• Rotate Exposed Credentials: Immediately rotate any npm tokens, GitHub PATs, cloud keys or CI credentials that may have been exposed on machines where compromised packages were installed.‍
• Monitor GitHub Activity: Watch for unauthorized repositories with naming or description patterns tied to Shai-Hulud variants.‍
• Extend Detection Coverage: Update SIEM/EDR rules to identify known payload execution patterns and cross-reference internal dependency inventories against confirmed affected packages.‍
• Ecosystem Feedback: Report any new compromised packages or artifacts to public security feeds and maintainers to improve community defenses.

Conclusion: The Sandworm Isn’t Done

The discovery of The Golden Path strain represents an incremental yet significant evolution in npm supply chain threats. By combining enhanced evasion with tried-and-true exfiltration and propagation techniques, this variant reminds us that malicious actors treat the open-source ecosystem as fertile ground for escalation.

As defenders and developers alike reckon with this new phase, the imperative is clear: continued community collaboration, secure dependencies early, inspect behavior deeply, swift credential hygiene, treat install-time execution risks as first-class citizens in your security posture. 

References

• Aikido Security (28 December 2025). Shai Hulud strikes again - The golden path. https://www.aikido.dev/blog/shai-hulud-strikes-again---the-golden-path
• Upwind (29 December 2025).  Shai-Hulud 3.0: npm Supply Chain Worm Reappears With Enhanced Obfuscation. https://www.upwind.io/feed/shai-hulud-3-npm-supply-chain-worm?utm_source=chatgpt.com